SSL Certificate CSR Generation Instructions Apache + Mod_SSL + OpenSSL

Follow these instructions to generate a CSR for your Web site. When you have completed this process, you will have a CSR ready to submit to your provider in order to be generated into a SSL Security Certificate.

1. Create a RSA key for your Apache server:

cd /apacheserverroot/conf/ssl.key (ssl.key is the default key directory.)

If you have a different path, cd to your server’s private key directory

2. Enter the following command to generate a private key that is file encrypted. You will be prompted for the password to access the file and also when starting your webserver:

openssl genrsa -des3 -out domainname.key 1024

Warning: If you lose or forget the passphrase, you will not be able to use the certificate.

You could also create a private key without file encryption if you do not want to enter the passphrase when starting your webserver:

openssl genrsa -out domainname.key 1024

Note: We recommend that you name the private key using the domain name that you are purchasing the certificate for ie domainname.key
3. Type the following command to create a CSR with the RSA private key (output will be PEM format):

openssl req -new -key domainname.key -out domainname.csr

Note: You will be prompted for your PEM passphrase if you included the "-des3" switch in step 3. When creating a CSR you must follow these conventions:

• Enter the information to be displayed in the certificate. The following characters can not be accepted: < > ~ ! @ # $ % ^ / \ ( ) ?.,&
• If you are applying for a wildcard certificate you must state * in place of the sub domain, for example *.yourdomain.com instead of www.yourdomain.com

You will now be prompted for information to include within the CSR:

Country Name (2 letter code) [AU]:	US (must be two letter country code, note for United Kingdom the country code must be GB and NOT UK)
State or Province Name (full name) [Some-State]:	The state or province where your organization is legally located. This cannot be abbreviated and must be entered in full.
Locality Name (eg, city) []:	The city where your organization is legally located.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:	The exact legal name of your organization. Do not abbreviate your organization name.
Organizational Unit Name (eg, section) []:	Section of the organization, such as Marketing or Web Development.
Common Name (eg, YOUR name) []:	The fully qualified domain name for your web server. This must be an exact match. If you intend to secure the URL https://www.yourdomain.com, then your CSR's common name must be www.yourdomain.com. If you applying for a wildcard certificate to secure all sub domains on your domain, the common name must be *.yourdomain.com.
Email Address []:	Leave this field blank by just pressing return.
A challenge password []:	Leave this field blank by just pressing return.
An optional company name []:	Leave this field blank by just pressing return.

4. If you would like to verify the contents of the CSR, use the following command:

openssl req -noout -text -in domainname.csr

5. Create a backup of your private key. If the private key is lost your CSR and Certificate will be invalid. Make a copy of the private key file (domainname.key) generated earlier and store it in a safe place! The private key file should begin with (when using a text editor):

-----BEGIN RSA PRIVATE KEY----- and end with -----END RSA PRIVATE KEY-----

6. Your CSR will now have been created. Open the domainname.csr in a text editor and copy and paste the contents into the online enrollment form when requested.